Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/5/84; site sunybcs.UUCP
Path: utzoo!watmath!sunybcs!ugbowen
From: ugbowen@sunybcs.UUCP (Devon Bowen)
Newsgroups: net.crypt
Subject: Re: foiling password crackers
Message-ID: <2904@sunybcs.UUCP>
Date: Fri, 7-Mar-86 20:49:38 EST
Article-I.D.: sunybcs.2904
Posted: Fri Mar  7 20:49:38 1986
Date-Received: Sat, 8-Mar-86 05:34:51 EST
References: <974@decwrl.DEC.COM> <262@birtch.UUCP> <210@duts.UUCP>
Distribution: na
Organization: SUNY/Buffalo Computer Science
Lines: 25
Summary: A modification on cutting the user off

> > >>We have all heard of losers who try to break into systems by calling
> > >>up, and trying to log in by exhaustively trying groups of possible
> > >>passwords.  Some login programs hang up the phone after a number of
> > >>attempts.  A simple refinement which I've never heard mentioned would
> > >>be to have the login program simply disable the ability to log in
> > >>successfully after a number of attempts, without notifying the user.
> > >>This would let the unsuspecting loser keep trying to log into your
> > >>system while you had plenty of time to trace his phone line without
> > >>your having to worry about his gaining entry to your system.

I think a better way to ensure that you have time to trace the call
would be to set up a mock account as a default account that would be
automatically logged into after a number of unsuccessful attempt. This
account could have seemingly important files and programs. This would
encourage the hacker to stay on the system for a long period of time.
Logging into this account would also alert security and they could
trace the call.

I hear IBM's mainframe has a fool-proof way of dealing with hackers.
The computer stores each users phone number in memory. When the user
calls in and completes the login correctly, the mainframe hangs up
and calls the user back. This way the hacker would have to be at the
users house to do any hacking!

                                  Devon E